Method for probabilistic analysis of most frequently occurring electronic message addresses within personal store (.PST) files to determine owner with confidence factor based on relative weight and set of user-specified factors

ABSTRACT

A probabilistic process to determine the owner of an electronic file, such as a Personal Store (.pst). A weighted analysis of multiple factors is performed including the operating system file owner, a user running the process, a “top Y most frequently occurring addresses” when analyzing “X number of sent then received messages,” and a number of occurrences of each “top Y most frequently occurring address.” Other factors, such as the ability to resolve against a directory service may be used. Each of the “top Y most frequently occurring addresses” is analyzed to calculate its weight according to a predetermined relationship and the address is compared to the operating system file owner and a logged-on user value. If there is a match, that value is returned as the probable owner of the file.

FIELD OF THE INVENTION

This invention relates in general to the field of content analysis. Moreparticularly, this invention relates to a probabilistic analysis of thecontent of a file to determine an owner of the file.

BACKGROUND OF THE INVENTION

Organizations are becoming increasingly sensitive to the issuessurrounding regulatory compliance, data management, and disasterrecoverability. In a MICROSOFT Exchange environment, client-sidePersonal Folder Information Store (PST) files provide a means for endusers to create stores of messaging data that is beyond the managementability of an organization's IT staff. The use of these files should bediscouraged in a managed environment, especially one that is subject toregulatory compliance rules. To address this issue, it is possible toadministratively restrict the use and creation of .pst files.Additionally, several tools are available that allow the programmaticimport of existing .pst data into the centralized MICROSOFT Exchangedatabase(s).

Despite these tools, no inventory and analysis tools currently existthat can provide an organization with a useful picture of the amount ofdata in .pst files and ownership thereof. This information enablesplanning for a fully centralized messaging data environment. Ownershipinformation also enables an efficient process for importation or otherdisposition of the existing/legacy .pst data.

SUMMARY OF THE INVENTION

A probabilistic process to determine the owner of an electronic file,such as a Personal Store (.pst). A weighted analysis of multiple factorsis performed including the operating system file owner, a user runningthe process, a “top Y most frequently occurring addresses” whenanalyzing “X number of sent then received messages,” and a number ofoccurrences of each “top Y most frequently occurring address.” Otherfactors, such as the ability to resolve against a directory service maybe used.

Each of the “top Y most frequently occurring addresses” is analyzed tocalculate its weight according to a predetermined relationship. Next,each address is compared to the operating system file owner and alogged-on user value to determine weather there is a match with thedirectory service resolved name for the address. If there is a match,that value is returned as the probable owner of the file. The combinedweights of the matching values will be returned as a “confidencefactor.” If there is no match, the weights of all values are analyzed,and the top weighted entry will be returned as the probable owner andthe combined weights of the matching values will be returned as the“confidence factor.”

Additional features and advantages of the invention will be madeapparent from the following detailed description of illustrativeembodiments that proceeds with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing summary, as well as the following detailed description ofpreferred embodiments, is better understood when read in conjunctionwith the appended drawings. For the purpose of illustrating theinvention, there is shown in the drawings exemplary constructions of theinvention; however, the invention is not limited to the specific methodsand instrumentalities disclosed. In the drawings:

FIG. 1 is a block diagram showing an exemplary computing environment inwhich aspects of the invention may be implemented; and

FIGS. 2-3 illustrate exemplary processes that are performed inaccordance with the present invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

Exemplary Computing Environment

FIG. 1 illustrates an example of a suitable computing system environment100 in which the invention may be implemented. The computing systemenvironment 100 is only one example of a suitable computing environmentand is not intended to suggest any limitation as to the scope of use orfunctionality of the invention. Neither should the computing environment100 be interpreted as having any dependency or requirement relating toany one or combination of components illustrated in the exemplaryoperating environment 100.

The invention is operational with numerous other general purpose orspecial purpose computing system environments or configurations.Examples of well known computing systems, environments, and/orconfigurations that may be suitable for use with the invention include,but are not limited to, personal computers, server computers, hand-heldor laptop devices, multiprocessor systems, microprocessor-based systems,set top boxes, programmable consumer electronics, network PCs,minicomputers, mainframe computers, distributed computing environmentsthat include any of the above systems or devices, and the like.

The invention may be described in the general context ofcomputer-executable instructions, such as program modules, beingexecuted by a computer. Generally, program modules include routines,programs, objects, components, data structures, etc. that performparticular tasks or implement particular abstract data types. Theinvention may also be practiced in distributed computing environmentswhere tasks are performed by remote processing devices that are linkedthrough a communications network or other data transmission medium. In adistributed computing environment, program modules and other data may belocated in both local and remote computer storage media including memorystorage devices.

With reference to FIG. 1, an exemplary system for implementing theinvention includes a general purpose computing device in the form of acomputer 110. Components of computer 110 may include, but are notlimited to, a processing unit 120, a system memory 130, and a system bus121 that couples various system components including the system memoryto the processing unit 120. The system bus 121 may be any of severaltypes of bus structures including a memory bus or memory controller, aperipheral bus, and a local bus using any of a variety of busarchitectures. By way of example, and not limitation, such architecturesinclude Industry Standard Architecture (ISA) bus, Micro ChannelArchitecture (MCA) bus, Enhanced ISA (EISA) bus, Video ElectronicsStandards Association (VESA) local bus, Peripheral ComponentInterconnect (PCI) bus (also known as Mezzanine bus), PeripheralComponent Interconnect Express (PCI-Express), and Systems Management Bus(SMBus).

Computer 110 typically includes a variety of computer readable media.Computer readable media can be any available media that can be accessedby computer 110 and includes both volatile and non-volatile media,removable and non-removable media. By way of example, and notlimitation, computer readable media may comprise computer storage mediaand communication media. Computer storage media includes both volatileand non-volatile, removable and non-removable media implemented in anymethod or technology for storage of information such as computerreadable instructions, data structures, program modules or other data.Computer storage media includes, but is not limited to, RAM, ROM,EEPROM, flash memory or other memory technology, CD-ROM, digitalversatile disks (DVD) or other optical disk storage, magnetic cassettes,magnetic tape, magnetic disk storage or other magnetic storage devices,or any other medium which can be used to store the desired informationand which can accessed by computer 110. Communication media typicallyembodies computer readable instructions, data structures, programmodules or other data in a modulated data signal such as a carrier waveor other transport mechanism and includes any information deliverymedia. The term “modulated data signal” means a signal that has one ormore of its characteristics set or changed in such a manner as to encodeinformation in the signal. By way of example, and not limitation,communication media includes wired media such as a wired network ordirect-wired connection, and wireless media such as acoustic, RF,infrared and other wireless media. Combinations of any of the aboveshould also be included within the scope of computer readable media.

The system memory 130 includes computer storage media in the form ofvolatile and/or non-volatile memory such as ROM 131 and RAM 132. A basicinput/output system 133 (BIOS), containing the basic routines that helpto transfer information between elements within computer 110, such asduring start-up, is typically stored in ROM 131. RAM 132 typicallycontains data and/or program modules that are immediately accessible toand/or presently being operated on by processing unit 120. By way ofexample, and not limitation, FIG. 1 illustrates operating system 134,application programs 135, other program modules 136, and program data137.

The computer 110 may also include other removable/non-removable,volatile/non-volatile computer storage media. By way of example only,FIG. 1 illustrates a hard disk drive 141 that reads from or writes tonon-removable, non-volatile magnetic media, a magnetic disk drive 151that reads from or writes to a removable, non-volatile magnetic disk152, and an optical disk drive 155 that reads from or writes to aremovable, non-volatile optical disk 156, such as a CD-ROM or otheroptical media. Other removable/non-removable, volatile/non-volatilecomputer storage media that can be used in the exemplary operatingenvironment include, but are not limited to, magnetic tape cassettes,flash memory cards, digital versatile disks, digital video tape, solidstate RAM, solid state ROM, and the like. The hard disk drive 141 istypically connected to the system bus 121 through a non-removable memoryinterface such as interface 140, and magnetic disk drive 151 and opticaldisk drive 155 are typically connected to the system bus 121 by aremovable memory interface, such as interface 150.

The drives and their associated computer storage media, discussed aboveand illustrated in FIG. 1, provide storage of computer readableinstructions, data structures, program modules and other data for thecomputer 110. In FIG. 1, for example, hard disk drive 141 is illustratedas storing operating system 144, application programs 145, other programmodules 146, and program data 147. Note that these components can eitherbe the same as or different from operating system 134, applicationprograms 135, other program modules 136, and program data 137. Operatingsystem 144, application programs 145, other program modules 146, andprogram data 147 are given different numbers here to illustrate that, ata minimum, they are different copies. A user may enter commands andinformation into the computer 110 through input devices such as akeyboard 162 and pointing device 161, commonly referred to as a mouse,trackball or touch pad. Other input devices (not shown) may include amicrophone, joystick, game pad, satellite dish, scanner, or the like.These and other input devices are often connected to the processing unit120 through a user input interface 160 that is coupled to the systembus, but may be connected by other interface and bus structures, such asa parallel port, game port or a universal serial bus (USB). A monitor191 or other type of display device is also connected to the system bus121 via an interface, such as a video interface 190. In addition to themonitor, computers may also include other peripheral output devices suchas speakers 197 and printer 196, which may be connected through anoutput peripheral interface 195.

The computer 110 may operate in a networked environment using logicalconnections to one or more remote computers, such as a remote computer180. The remote computer 180 may be a personal computer, a server, arouter, a network PC, a peer device or other common network node, andtypically includes many or all of the elements described above relativeto the computer 110, although only a memory storage device 181 has beenillustrated in FIG. 1. The logical connections depicted include a localarea network (LAN) 171 and a wide area network (WAN) 173, but may alsoinclude other networks. Such networking environments are commonplace inoffices, enterprise-wide computer networks, intranets and the Internet.

When used in a LAN networking environment, the computer 110 is connectedto the LAN 171 through a network interface or adapter 170. When used ina WAN networking environment, the computer 110 typically includes amodem 172 or other means for establishing communications over the WAN173, such as the Internet. The modem 172, which may be internal orexternal, may be connected to the system bus 121 via the user inputinterface 160, or other appropriate mechanism. In a networkedenvironment, program modules depicted relative to the computer 110, orportions thereof, may be stored in the remote memory storage device. Byway of example, and not limitation, FIG. 1 illustrates remoteapplication programs 185 as residing on memory device 181. It will beappreciated that the network connections shown are exemplary and othermeans of establishing a communications link between the computers may beused.

Exemplary Embodiments

Referring to FIGS. 2 and 3, the present invention provides aprobabilistic process to determine the owner of a MICROSOFT OUTLOOKpersonal store (.pst) or other file through the weighted analysis ofseveral user-specified factors (see, reference numerals 200 and 202).For example, such factors may be placed in a record 204 and may includethe file owner, the user who ran the discovery process, the “top Y mostfrequently occurring addresses when analyzing X number of sent thenreceived messages,” a number of occurrences of each of the returned “topY most frequently occurring addresses,” etc. The record 204 may bestored as an XML file and provided to an analysis component 206.

Each of the top Y most frequently occurring addresses are analyzed bythe analysis component 206 to calculate its weight according to thefollowing formula:

${Weight} = {\left( \frac{{Yn} + F}{{Y\; 1} + {Y\; 2} + {Y\; 3\ldots}} \right) - \left( {G + W} \right)}$

where:

W=a configurable weight based on Window NT file system (NTFS) file owner

G=a configurable weight set by the user who ran the discovery process

Y1+Y2+Y3 . . . =configurable weights based on the top Y most frequentlyoccurring addresses when analyzing the X number of sent then receivedmessages

Yn=number of occurrences of each of the returned top Y most frequentlyoccurring addresses. This is used to determine relative weight againstthe other top Y most frequently occurring addresses.

F=a configurable weight based on the ability to resolve against aDirectory Service (e.g., Active Directory).

Exemplary default values for the various variables are as follows:

-   X=200-   Y=4-   F=50-   W=0.02-   G=0.1

Each address is then compared to the “NTFS File Owner” and “Logged OnUser” values to determine whether there is an exact match with aDirectory Service (e.g., Active Directory) resolved name for the e-mailaddress (reference numeral 208). If there is a match, that value isreturned as the probable Personal Store (.pst) owner and placed in therecord 204 a.

FIG. 3 illustrates a variation of the above where the combined weightsof the matching values in the record 204 b are returned as a “confidencefactor.” If there is no match, the weights of all values will beanalyzed and the top weighted entry will be returned as the probablePersonal Store (.pst) owner and the combined weights of the matchingvalues will be returned as the “confidence factor” in the record 204 c.

In accordance with an aspect of the present invention the determinationof the file owner is made without an administrator reading the emailsand content within the .pst file as the process of analyzing the filecontents may be performed via an automated means. In addition, thepresent invention can be extended to analyze other types of filescontaining data from which factors can be derived and weighted (e.g.,documents where factors such as the sender and recipient can beweighted, etc.).

An example application of the above will now be described. If ananalysis is performed on the first 200 (x=200) messages sent thenreceived in a .pst file and the four (y=4) most frequently occurringemail addresses in from and to fields are collected, the followingresults may be obtained:

Address Number of hits richwebb 80 dkearney 38 dkeamey@microsoft.com 40ms@ms.com 40

Next, it is determined whether each of these addresses resolve against aDirectory Service (e.g., Active Directory, an LDAP server, etc.) asshown in FIG. 2. In this case, the first three addresses do resolve to:

-   REDMOND\richwebb-   REDMOND\dkearney-   REDMOND\dkearney-   The last address, ms@ms.com does not resolve.

Now, for each address, it is determined if the resolved address matcheseither the collected NTFS file owner or the account of the user whoexecuted the analysis tool of the present invention. If there is an NTFSfile owner match the value W is set to 0. If there is an executing usermatch, the value G is set to 0. If there is no match for NTFS FileOwner, then W=0.02. If there is no match for an executing user match,the G=0.1.

Next it is determined if the weight of each of the top Y addresses(y=4).

Richwebb—Resolved against the directory service (e.g., F=50), NTFS fileowner match (W=0.02), no executing user match (G=0). The analysis forRichwebb is thus the following:(80+50)/(80+38+40+40)−(0.02+0)=0.64

Dkearney—Resolved against directory service (F=50), NTFS file ownermatch (W=0.02), executing user match (G=0.01). The analysis for Dkearneyis thus the following:(38+50)/(80+38+40+40)−(0.02+0.01)=0.41

dkearney@microsoft.com—Resolved against directory (F=50), NTFS fileowner match (W=0.02), executing user match (G=0.01). The analysis fordkearney@microsoft.com is thus the following:(40+50)(80+38+40+40)−(0.02+0.01)=0.42

ms@ms.com—No resolution against directory (F=0), No NTFS file ownermatch (W=0), no Executing user match (G=0). The analysis for ms@ms.comis thus the following:(40+0)/(80+38+40+40)−(0+0)=0.20

Next it is determined if any of the top Y addresses (y=4) are in factduplicates. If they are, their calculated weight values are combined asshown in FIG. 3. In this example, dkearney and dkeamey@microsoft.comboth resolved to REDMOND@kearney and are duplicates. As a result, we addtheir weight values (0.41+0.42).

-   REDMOND\Richwebb=0.64-   REDMOND\dkearney=0.83-   ms@ms.com=0.20

Next the result is returned. In this case, REDMOND\kearney has beenidentified as the .pst file owner with a confidence factor of 0.83.

While the present invention has been described in connection with thepreferred embodiments of the various FIGS., it is to be understood thatother similar embodiments may be used or modifications and additions maybe made to the described embodiment for performing the same function ofthe present invention without deviating therefrom. For example, oneskilled in the art will recognize that the present invention asdescribed in the present application may apply to any computing deviceor environment, whether wired or wireless, and may be applied to anynumber of such computing devices connected via a communications network,and interacting across the network. Furthermore, it should be emphasizedthat a variety of computer platforms, including handheld deviceoperating systems and other application specific operating systems arecontemplated, especially as the number of wireless networked devicescontinues to proliferate. Still further, the present invention may beimplemented in or across a plurality of processing chips or devices, andstorage may similarly be effected across a plurality of devices.Therefore, the present invention should not be limited to any singleembodiment, but rather should be construed in breadth and scope inaccordance with the appended claims.

1. A method of determining a probable owner of a personal store file ina computer, the method comprising: receiving a set of user-specifiedfactors including a first number of most frequently occurring addressesand a second number of sent-then-received electronic messages to beanalyzed for said first number of most frequently occurring addresses;determining the first number of most frequently occurring addressesamong the second number of sent-then-received electronic messages withinsaid personal store file; applying a weight to each of said first numberof determined most frequently occurring addresses based on a number ofoccurrences of each of said first number of determined most frequentlyoccurring addresses and one or more user-specified factors of the set ofuser-specified factors; determining a relative weight of each of saidfirst number of determined most frequently occurring addresses;determining if any of said first number of determined most frequentlyoccurring addresses are duplicate addresses; summing the relativeweights of duplicate addresses to create a combined relative weight andsetting the relative weight of one of the duplicate address to thecombined relative weight; returning a top weighted address of said firstnumber of determined most frequently occurring addresses as saidprobable owner of said personal store file with a confidence factorderived from the relative weight and the set of user-specified factors.2. The method of claim 1, further comprising: determining an operatingsystem file owner of said personal store file; applying a first weightedvalue to said operating system file owner; and using said first weightedvalue to determine said relative weight of each said frequentlyoccurring address.
 3. The method of claim 1, further comprising:determining if each said frequently occurring address resolves against adirectory service; applying a second weighted value if said frequentlyoccurring address resolves against the directory service; and using saidsecond weighted value to determine said relative weight of each saidfrequently occurring address.
 4. The method of claim 1, furthercomprising: determining an identity of a user who is performing saidmethod; applying a third weighted value to said identity; and using saidthird weighted value to determine said relative weight of each saidfrequently occurring address.
 5. The method of claim 1, wherein saidstep of determining said relative weights further comprises applying thefollowing relationship:${Weight} = {\left( \frac{{Yn} + F}{{Y\; 1} + {Y\; 2} + {Y\; 3\ldots}} \right) - \left( {G + W} \right)}$where: W=a configurable weight based on an operating system file owner;G=a configurable weight set by a user performing said method; Y1+Y2+Y3 .. . = configurable weights based on said predetermined number of mostfrequently occurring addresses; Yn=number of occurrences of each saidfrequently occurring address; and F=a configurable weight based on theability to resolve against a directory service.
 6. The method of claim1, further comprising performing said method without a user viewing thecontents of said personal store file.
 7. A method of determining anowner of an electronic file in a computer, the method comprising:receiving a set of one or more user-specified factors associated withsaid electronic file, wherein said user-specified factors include afirst number of most frequently occurring addresses among a secondnumber of sent-then-received electronic messages within said electronicfile to be analyzed for said first number of most frequently occurringaddresses; determining the first number of most frequently occurringaddresses among the second number of sent-then-received electronicmessages within said personal store file; applying weights to saiduser-specified factors; defining a first factor that is to be comparedto others of said user-specified factors, wherein the first factor isdefined as a number of occurrences of each of said first number ofdetermined most frequently occurring addresses; determining a relativeweight for each of said first number of determined most frequentlyoccurring addresses; determining if any of said first number ofdetermined most frequently occurring addresses are duplicate addresses:summing the relative weights of duplicate addresses to create a combinedrelative weight and setting the relative weight of one of the duplicateaddress to the combined relative weight; and returning a top weightedaddress of said first number of determined most frequently occurringaddresses as said owner of said electronic file with a confidence factorderived from the relative weight and the set of user-specified factors.8. The method of claim 7, further comprising: defining an operatingsystem file owner of said electronic file as a second factor; applying asecond weighted value to said second factor; and using said secondweighted value to determine said relative weight of each of saidfrequently occurring addresses.
 9. The method of claim 7, furthercomprising: determining if each said most frequently occurring addressresolves against a directory service; applying a third weighted value toeach said frequently occurring address that resolves against thedirectory service; and using said third weighted value to determine saidrelative weight of each said frequently occurring address.
 10. Themethod of claim 7, further comprising: defining an identity of a userwho is performing said method as a fourth factor; applying a fourthweighted value to said fourth factor; and using said fourth weightedvalue to determine said relative weight of each of said most frequentlyoccurring addresses.
 11. The method of claim 7, wherein said step ofdetermining said relative weight further comprising applying thefollowing relationship:${Weight} = {\left( \frac{{Yn} + F}{{Y\; 1} + {Y\; 2} + {Y\; 3\ldots}} \right) - \left( {G + W} \right)}$where: W=a configurable weight based on an operating system file owner;G=a configurable weight set by a user performing said method; Y1+Y2+Y3 .. . = configurable weights based on said first factor of said severalfactors; Yn=number of occurrences of each said candidate; and F=aconfigurable weight based on the ability to resolve against a directoryservice.
 12. The method of claim 7, further comprising performing saidmethod without a user viewing the contents of said electronic file. 13.A method of determining ownership of an electronic file containinge-mail messages in a computer, the method comprising: receiving a set ofuser-specified factors including a first number of most frequentlyoccurring addresses and a second number of sent-then-received e-mailmessages to be analyzed for said first number of most frequentlyoccurring addresses; determining a the first number of most frequentlyoccurring addresses among the-second number of sent-then-received e-mailmessages within said electronic file, applying a weight to each of saidfirst number of determined most frequently occurring addresses based ona number of occurrences of each of said first number of determined mostfrequently occurring addresses and one or more user-specified factors ofthe set of user-specified factors; determining a relative weight of eachof said first number of determined most frequently occurring addresses;determining if any of said first number of determined most frequentlyoccurring addresses are duplicate addresses; summing the relativeweights of duplicate addresses to create a combined relative weight andsetting the relative weight of one of the duplicate address to thecombined relative weight; and determining said ownership of saidelectronic file in accordance with the relative weight of each of saidfirst number of determined most frequently occurring addresses with aconfidence factor derived from the relative weight and the set ofuser-specified factors.
 14. The method of claim 13, further comprising:determining if each of said most frequently occurring addresses resolvesagainst a directory service; weighting each of said most frequentlyoccurring addresses in accordance with whether said each of said mostfrequently occurring addresses resolves against the directory service;and determining said ownership further in accordance with saidweighting.
 15. The method of claim 13, further comprising: determiningan operating system owner of said electronic file; applying a weight tosaid operating system owner; and determining said ownership further inaccordance with said weighting.
 16. The method of claim 13, furthercomprising; determining an identity of a user who is performing saidmethod; weighting said identity; and determining said ownership furtherin accordance with said weighting.